Rootkits do not signal impending doom for corporate IT, but companies need to keep up their defenses as the malware tools begin to spread, experts say.

The best way to deal with rootkits is to prevent infection in the first place - which is easier said than done. Besides maintaining traditional layers of security - firewalls, anti-virus software and patching - experts recommend locking down desktops to control software installation and operating system manipulation.

"Rootkits are not an end-of-the-world situation," says Rob Murawski, a member of the technical staff Carnegie Mellon Software Engineering Institute CERT Coordination Center (CERT/CC) in Pittsburgh, Pa. "But it is an arms race between those that create rootkits and those that create detectors."

And that race is reaching a fever pitch. The number of rootkit attacks reported to McAfee labs in the first quarter of 2006 was up 700% compared with the same period in 2005, McAfee says.

A rootkit is malware that slips into a system and hides, and gives no indication that the system has been compromised. It can be used for any number of misdeeds, such as installing backdoors that can be used for remote access by hackers, or allowing a machine to be used as a staging point for attacks on other systems, according to CERT. Rootkits also can discover that security tools are looking for them and dodge detection.

While traditional malware tries to wreak as much havoc as possible, rootkits are being used to aim at focused targets, such as banks.

"What we've seen with rootkits is the transition from the notoriety-type virus writer to the for-profit virus writer," says David Frazer, director of technologies for F-Secure, which develops an anti-rootkit tool called Blackight. "The more professional-type malware writers have R&D. They have external funding."

Those efforts are producing custom rootkits with unique signatures that can't be discovered by automatic detection tools, such as Hacker Defender, that use documented profiles of well-known rootkits.

Last year, the University of Connecticut found a rootkit that had been in its network for two years. The university said no data was compromised because the rootkit failed to install properly.

"The stakes are raised in this cat-and-mouse game," says Mark Russinovich, chief software architect for Windows management vendor Winternals Software. There is now a lot of funding behind the creation of malicious code, he says, "making it lucrative to come up with innovative ways of delivering malware and keeping it on people's machines."